IP blocked in Rules but still accessing FTP
-
Yes there were more rules. I only copied the rules set down to the level that showed the block for "Badguys". The IP I'm trying to block is listed in that alias so it should stop at that point regardless of the rules below it. I was just showing that there weren't any rules above it that should have allowed it to pass. Once it hits this block the rest of the rules don't matter.
WAN net (set up by pfSense support) allows access to the pfSense settings when in transparent mode. Should it be an IP? I don't know. Since pfSense support set it up and they're smarter than I am, I left it the way they had it.
-
From my FTP server. I get hit every few min.
(001914)5/7/2015 15:47:34 PM - (not logged in) (71.232.46.105)> 220-Thank you for visiting namehere ftp server.
(001914)5/7/2015 15:47:34 PM - (not logged in) (71.232.46.105)> 220 All actions are logged.
(001914)5/7/2015 15:47:34 PM - (not logged in) (71.232.46.105)> SSH-2.0-libssh2_1.4.1
(001914)5/7/2015 15:47:34 PM - (not logged in) (71.232.46.105)> 500 Syntax error, command unrecognized.
(001914)5/7/2015 15:47:37 PM - (not logged in) (71.232.46.105)> disconnected.
(001915)5/7/2015 15:54:15 PM - (not logged in) (157.7.237.232)> Connected on port 22, sending welcome message…And from my "badguys" alias as seen on the rules, they're blocked. So how did they get to the FTP? They should have been blocked long before they got down to the port settings for the FTP connection.
-
Dude. FTP is NOT SSH. Sigh. WTF.
(001914)5/7/2015 15:47:34 PM - (not logged in) (71.232.46.105)> SSH-2.0-libssh2_1.4.1
(001915)5/7/2015 15:54:15 PM - (not logged in) (157.7.237.232)> Connected on port 22, sending welcome message… -
WAN net is the entire subnet your WAN interface is part of. WAN address is just the IP address used by your WAN.
My personal view is that you should ignore this guy or you will be playing whack-a-mole with him and other bots forever. Let them knock on your door. Just ignore them. However, the challenge in this situation is how is he getting in in the first place? We still haven't seen anything that shows the link between pfSense and your FTP server, no FTP rule, no port-forward. Are you using an IP alias or is your FTP server listening on your WAN IP address?
Dude. FTP is NOT SSH. Sigh. WTF.
Regardless, how is this IP getting past the firewall?
-
@KOM:
Dude. FTP is NOT SSH. Sigh. WTF.
Regardless, how is this IP getting past the firewall?
How? Because the "remotemanagement" allow rule is before "badguys" block. Useless.
-
Dude. FTP is NOT SSH. Sigh. WTF.
Of course not. He's connected to my FTP server already when he's entering the SSH command. He should have never been able to connect to my FTP server if his IP was blocked. He should have never been able to get to the FTP prompt to attempt to enter the SSH command.
-
Kindly go Google the difference between SSH and FTP. You don't have any FTP server there. libssh is not FTP and port 22 is not FTP either. Also your rules ordering is wrong, as noted above.
-
@KOM:
Dude. FTP is NOT SSH. Sigh. WTF.
Regardless, how is this IP getting past the firewall?
How? Because the "remotemanagement" allow rule is before "badguys" block. Useless.
I don't understand. Remotemanagement only lists two fixed IPs for granting access. He isn't from either of those IPs. How is that making it useless?
-
I don't understand. Remotemanagement only lists two fixed IPs for granting access.
Apparently not. Also, those pfBlocker rules are just whacky. I really don't think you have a clue what you are doing.
-
OK, I've attached more rules. You will see the bottom on is FTP but by being on the bottom, only access that hasn't already been blocked should get down the rule set this far. And yes, there is an FTP server, and yes, I know the difference, and yes, he's attempting to enter SSH commands on and FTP connection, and no, he shouldn't have gotten that far to do so and that's what I'm trying to figure out. How did he get to the bottom of the rule list if there's a specific block for his IP at the top of the list (right below Remotemanagement which only passes two IPs).
-
I don't understand. Remotemanagement only lists two fixed IPs for granting access.
Apparently not. Also, those pfBlocker rules are just whacky. I really don't think you have a clue what you are doing.
The pfBlocker rules are created by pfBlocker, not me. None of them are giving a pass to this guy's IPs. They're all blocks.
-
Let me repeat the port 22 is NOT FTP and libssh does NOT support FTP at all. What server are those logs from?
The pfBlocker rules are created by pfBlocker, not me. None of them are giving a pass to this guy's IPs. They're all blocks.
Yeah. Based on your whacky misconfiguration that's apparently trying to block the entire world.
OK, I've attached more rules.
Yeah. Looking at that censored mess… humble suggestion: go ditch that frenzy and restart from scratch. Or perhaps better hire someone for the job.
-
Port 22 is indeed routed to the FTP server and the FTP server is listening on that port as well as others. FTPFileZilla is the FTP server running.
And while you call this a "whacky misconfiguration", I'll point out again that support from pfSense has reviewed the configuration. Chris himself set up parts of it.
And yes, blocking most of the world would be just fine with me because our business isn't a world-wide business.
-
Sigh.
1/ No, port 22 is NOT routed to the FTP server. Not per the rules you posted.
2/ Oh, sure. Call me dalai lama.
3/ No. There's this implicit block all rule. Allow what you need from where you need ONLY. The rest is blocked. Not this ridiculous overhead with millions of table entries.Of course, when you keep sticking allow everyone from everywhere to anywhere any protocol in random places between some more random disabled rules, throw in a bunch of inexplicable rules with some random IP as destination, mix that with bunch more aliases to obfuscate the whole mess, then this most likely won't work properly, and you'll get people accessing what they shouldn't.
Those rules are frickin' unmaintainable mess with no logical ordering.
-
Yeah. Looking at that censored mess… humble suggestion: go ditch that frenzy and restart from scratch. Or perhaps better hire someone for the job.
LOL. So I should hire someone better than the guy who wrote pfsense? Right. Look, I get it, you enjoy punking up on me. Fine. But what you say sorta falls apart when you say things like Chris doesn't know how to setup his own software. If you think that little of him, why are you running his software in the first place? Can we stop the bully-bash and get back to the question of how an IP is able to reach the FTP server to even attempt his SSH command there? Of course it won't work, it's an FTP sever. That's beside the point.
-
Sigh.
1/ No, port 22 is NOT routed to the FTP server. Not per the rules you posted.
2/ Oh, sure. Call me dalai lama.
3/ No. There's this implicit block all rule. Allow what you need. The rest is blocked. Not this ridiculous overhead with millions of table entries.The alias FTPFilezilla passes port 22 to the server at that IP. The server on that IP is set to listen to port 22 for FTP. It's routed via the FTPFilezilla alias.
You don't like the pfBlocker package. I hear that. Don't install it then.
-
Don't pull Chris or anyone else into this shit. You cannot tell SSH from FTP and those rules are frickin' unmaintainable mess with no logical ordering, randomly plopped together. Ditch this crap. Noone will waste time debugging this mess with tons of inexplicable aliases and random allow entire world to anywhere rules in between.
As for pfBlocker, I was one of the pfBlockerNG beta testers. What I don't like is clueless people doing clueless things with that.
Flush the mess down the drain. Enough said.
-
Of course, when you keep sticking allow everyone from everywhere to anywhere any protocol in random places between some more random disabled rules, throw in a bunch of inexplicable rules with some random IP as destination, mix that with bunch more aliases to obfuscate the whole mess, then this most likely won't work properly, and you'll get people accessing what they shouldn't.
Those rules are frickin' unmaintainable mess with no logical ordering.
There are no random IPs as destinations. Yes I use aliases to keep the rule set simple. Yes there are some disabled rules which do nothing except for when enabled for short term use. There are no rules that allow all traffic from anywhere to anywhere except the one that limits the IPs themselves which is a rule put in by pfsense to restrict traffic to IPv4.
I could explain each rule in turn if you want, but since the rule in question is at the top as a block, the rules that follow it should be irrelevant to the problem.
-
I could explain each rule in turn if you want
No, thanks. The censored aliases and destinations and random disabled junk in between with blocks in completely whacky places are the exact opposite of simple. Get paid support.
(As a closing note, once you move your wide open FTP from the most targetted port in the world where it does not belong in the first place, you won't see people trying to breaking into your god knows what because they've mistaken it for SSH.)
-
Don't pull Chris or anyone else into this shit. You cannot tell SSH from FTP and those rules are frickin' unmaintainable mess with no logical ordering, randomly plopped together. Ditch this crap. Noone will waste time debugging this mess with tons of inexplicable aliases and random allow entire world to anywhere rules in between.
As for pfBlocker, I was one of the pfBlockerNG beta testers. What I don't like is clueless people doing clueless things with that.
Flush the mess down the drain. Enough said.
I'm just saying, you want to call it all crap but Chris worked on it and he didn't think it was crap. Many of the rules and aliases there were set up by him. I'm not "pulling" anyone into anything. I'm just saying, it made sense to him.
The rest is just name calling. You honestly think I don't know FTP from SSH? Come on! And the ports are routed for that. Could that port be routed to something else on a different server? Sure it could.. but it's not on this server. It's routed to the FTP server. That's beside the point. The point is he shouldn't be able to get to any port at all if he's blocked in a rule above that, and he is.
